SlideShare ist ein Scribd-Unternehmen logo

Welcome to the Jungle: Pentesting AWS

M
Mike Felch

This document provides an overview of pentesting AWS environments. It discusses initial reconnaissance of AWS accounts and resources, identifying vulnerabilities, techniques for lateral movement and privilege escalation, and ways to scale pentests across multiple AWS accounts. The presentation covers topics like using ScoutSuite and custom tools to discover resources and analyze policies, exploiting permissions and services, leveraging IAM roles and the EC2 metadata service, and exfiltrating data from S3 buckets and EBS snapshots. It emphasizes the importance of proper scoping and reporting when pentesting at scale in AWS environments.

Technologie
1 von 51
Downloaden Sie, um offline zu lesen
Welcome to the Jungle PENTESTING AWS 1
ABOUT MIKE FELCH @USTAYREADY ON TWITTER SECURITY RESEARCH / RED TEAM @ BHIS • EXPLOITING SINCE RENEGADE BBS BACKDOORS • POPPING BOXES SINCE /CGI-BIN/PHF IN ’97 • SOFTWARE DEV SINCE VISUALBASIC3 WAREZ • PENTESTING SINCE AROUND 2005 2
ABOUT THIS TALK PENTESTING AWS IN-DEPTH AND AT SCALE • NOT A REFLECTION OF AMAZON • WE RELY A LOT ON USING AWS CLI • LET’S DIG INTO SERVICES • SCALE ACROSS MANY ACCOUNTS • REPORT, REPORT, REPORT! 3
PRESENTATION AGENDA HIGH-LEVEL TESTING OVERVIEW INITIAL ACCESS PROVISIONING NEW TOOL CLOSING THOUGHTS PENTEST PHASES 4 SCALING THE PENTEST
HIGH LEVEL TESTING OVERVIEW 5
HIGH-LEVEL TESTING OVERVIEW WHAT ARE WE TESTING? Organizations • Consolidated AWS accounts for easy management AWS Account • We test one or more AWS accounts, sometimes not all • Contains resources in different locations (regions) • Usually used for scoping pentests *DISCLAIMER* • Depends on the client, sometimes they want something different • … like starting as a developer with access to a dev environment 6
HIGH-LEVEL TESTING OVERVIEW RESOURCES Resources are “what” you are testing • EC2: virtual server that comes in different sizes/locations • S3: object storage with a globally unique name • RDS: a typical relational database • Lambda: microservice that runs code without a server • … over 200 different types of services *WARNING* • Usually pieced together like Legos • Done right, can be hard to break • Done wrong, has major consequences • Exploit a resource and interact with different resources 7
HIGH-LEVEL TESTING OVERVIEW SCOPING How many AWS accounts are being tested? • 5-10 accounts? One-week in-depth test • 100+ accounts? Time boxed wide test How many different resources in each account? • Good to know up front, hard to use in scoping How many regions are being used in each account? • Great way to reduce reconnaissance time Be sure to set the client expectations during scoping call! 8
HIGH-LEVEL TESTING OVERVIEW IAM WHO I AM We need read-only access to start testing.. but how? Solution? Identity and Access Management (IAM)! • Controls access to AWS resources for users • Typical users, groups, and permissions • Uses “policies” to apply permissions for resources to users • Password policies, MFA, and monitoring w/ CloudTrail • “Principal” is an entity in AWS (user, role, AWS account, etc) Why is this important? • Vulnerable policies are the gateway for our exploitation • Start testing with read-only access, exploit from there 9
10
11
INITIAL ACCESS PROVISIONING 12
INITIAL ACCESS PROVISIONING ACCESS CREDENTIALS IAM User Access and Secret Keys • Access Keys identifies the user making the request • Secret Keys sign the request confirming the user identity Console Credentials • Account ID (or account alias) + email + password • Root account email + password Easier for client to generate when testing few accounts Harder for client to generate when testing many accounts 13
INITIAL ACCESS PROVISIONING ASSUMEROLE Provide internal access, externally • IAM feature that enables assuming a role w/ permissions • Great for allowing external accounts to access resources • External account passes a role ARN (resource name) • AWS generates temp credentials to external account • Ideal way for client and tester • Provide client w/ minimal read-only policy • Receive role ARN for each account in scope 14
INITIAL ACCESS PROVISIONING TESTING ENVIRONMENT • Be sure to install AWS CLI: https://aws.amazon.com/cli/ • Configure *YOUR* testing AWS account (not clients) • Add client’s AWS accounts into accounts.txt, one per line • Your keys will be configured in: ~/.aws/credentials 15
INITIAL ACCESS PROVISIONING TESTING ENVIRONMENT • Next, we will configure an AssumeRole for your client accounts in: ~/.aws/config • We need a new profile name, we will use the client’s AWS account number • We need the ARN for the role that the client created, that gives our account permission • We need to reference our profile name (account), we used “testing” as the name 16
INITIAL ACCESS PROVISIONING TESTING ENVIRONMENT • Retrieve the caller identity from AWS, to verify the profile works • We will reference the AssumeRole profile name • It will use our account to assume the role in our client’s account • Inherits the permissions specified in the policy they used • If it returns data, we are ready to pentest! 17
RESOURCE RECONNAISSANCE 18
RESOURCE RECONNAISSANCE DISCOVERY • For each AWS account being tested… In each of the regions… Retrieve each resource… • While we are at it, lets pull the policies too • Is there an easy way to check the policies for issues? • Indeed… ScoutSuite! *DISCLAIMER* • ScoutSuite seems seemed to be dead. • ScoutSuite doesn’t find everything. • ScoutSuite doesn’t retrieve all resources. 19
RESOURCE RECONNAISSANCE SCOUTSUITE • Generates a nice report dashboard w/ details • Shows configurations and scans policies for potential issues • Supports other cloud providers (Azure, GCP, etc) 20 https://github.com/nccgroup/ScoutSuite
RESOURCE RECONNAISSANCE AWS_LIST_ALL • Enumerates everything, everywhere! • Doesn’t discover “bad” L • Takes time and may exhausts rate limits 21 https://github.com/JohannesEbke/aws_list_all
VULNERABILITIES & EXPLOITATION 22
VULNERABILITY IDENTIFICATION • Be cautious! Trust but verify. • Policies can get complex, watch for false positives • Use AWS CLI to validate • Find and parse the scoutsuite_results*.js file(s) for JSON 23 ANALYZE SCOUTSUITE RESULTS
SERVICE EXPLOITATION Retrieve resources and try anyway! • Example.. query for all SNS topics in regions • Retrieve the ARN and publish a message • Check the response for errors... profit! ChatGPT to the rescue! 24 BRUTE FORCE RESOURCES
RESOURCE RECONNAISSANCE CHATGPT • Generate amazing one-liners to query using AWS CLI • You can also sanitize a policy and ask if it’s vulnerable • Be careful not to leak customer accounts & resource names! 25
RESOURCE RECONNAISSANCE CLOUDGPT • ChatGPT + Boto3 = AWS YOLO Vulnerability Scanner • Full tool done, being released at HackSpaceCon April 13-15 @ Kennedy Space Center, FL 26 https://darkoptics.com/cloudgpt
SERVICE EXPLOITATION Discover IP/hostnames for external infrastructure • Elastic IPs • EC2 Public IPs • Elastic Load Balancer DNSName • RDS Endpoint Address • API Gateway REST APIs • Elastic Beanstalk Endpoint URL Scan infrastructure • Port scan using Nmap • Screenshot using GoWitness • Fuzz using Ffuf or Dirbuster • Normal external/web app pentest, look for SSRF! 27 ADDITIONAL ATTACK SURFACE
SERVICE EXPLOITATION Retrieve IAM usernames & cred reports then brute force the AWS web console • Cred reports show if MFA enabled with user creation & password change dates • Look for dates prior to November 2020 J (no password policy) • AWS IAM has ***NO LOCK-OUT POLICY*** 28 BRUTE FORCE IAM USERS
LATERAL MOVEMENT PRIVILEGE ESCALATION 29
LATERAL MOVEMENT • Find assumable roles or creds with different permissions • Leverage services to pivot around • Unravel roles, policies, and permissions • Discover resources you can interact with • Code and repo commits may have creds • Sometimes you can leverage external AWS accounts • Sometimes need to leverage internal roles/creds • Sometimes don’t need any creds at all (i.e. --no-sign-request) 30 GOAL: PERMISSION SNOWBALL
LATERAL MOVEMENT API keys, tokens, credentials and more! • Check EC2 User-data • Check Lambda function code and environment vars • Check CloudFormation stack parameters • Check CodeBuild environment vars • Check SSM Parameter Store (String and StringList) • .. so much more! Look around. • Regularly find more AWS keys & resource creds • Leverage discovered access to third-parties • Datadog, SendGrid, Git, Docker, API keys, Slack, Teams, etc *REMINDER* • Slow down here! 31 THIRD-PARTY SERVICES
PRIVILEGE ESCALATION 32 POLICIES PERMISSION HOW TO EXPLOIT iam:CreatePolicyVersion Create policy version for existing policy w/ set-as-default flag iam:Attach(User/Group/Role)Policy Add policy for user/group/role that is attacker controlled iam:Put(User/Group/Role)Policy Add inline policy for user/group/role that is attacker controlled iam:SetDefaultPolicyVersion Change default policy to different version w/ higher permissions iam:UpdateAssumeRolePolicy Update assume role policy for a role that is attacker controlled Look for policies with higher permissions that you can leverage Reference: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ RIP Spencer Gietzen L
PRIVILEGE ESCALATION 33 ODD PERMISSIONS PERMISSION HOW TO EXPLOIT iam:PassRole Pass existing role to resource or service and use it iam:NotActions+Effect Allow Creates prevent list which means everything else is permitted lambda:CreateEventSourceMapping Tie event sources to Lambda for triggering execution glue:Create/UpdateDevEndpoint Updated SSH public key for dev endpoint cloudformation:CreateStack Bad w/ PassRole - Launch resources (create admin etc) Look for risky permissions that you can leverage
PRIVILEGE ESCALATION EC2 Metadata: http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> IMDSv1 • EC2 instance with an IAM role attached can leak access keys • Leverage an EC2 hosted web app vulnerable to SSRF • … or ability to SSH into an EC2 instance • v1 does NOT require auth J • Retrieve access/secret access keys for the EC2 IAM role IMDSv2 • v2 does require auth L • Security fix requiring TOKEN from /latest/api/token via PUT • Use token in x-aws-ec2-metadata-token header to /latest/meta-data • EC2 Specifying IMDSv2 will no longer work with IMDSv1 34 IAM ROLE w/ EC2 METADATA
PRIVILEGE ESCALATION • Check inline and managed policy versions • Look for AssumeRole w/ our principal or Principal: “*” • Call aws sts assume-role --role-arn <arn> • Copy and configure creds in ~/.aws/credentials • Check for new permissions within assumed role • Use new creds w/ elevated permissions • CreateFunction, UpdateFunctionCode and add new code • UpdateFunctionConfiguration and add new layer • … profit! 35 LAMBDA w/ ASSUMEROLE
PRIVILEGE ESCALATION • Check inline and managed policy versions • Look for roles that have RunInstances • Look for roles that have (add/remove) instance-profile permissions • Can we create a key pair and run an EC2 instance? • Can we unassign/reassign instance profiles w/ elevated perms? • SSH into EC2 w/ key pair J • SSM nodes w/ send-command RCE opportunity (AWS-RunShellScript) • Use EC2 for lateral movement, other service interaction, etc • … profit! 36 EC2 w/ INSTANCE PROFILE
PRIVILEGE ESCALATION • User pools assist with user sign-in/sign-up • Identity pools assist with what users can access • We are looking for Identity Pool ID’s • Look in JavaScript, HTTP response headers, GitHub, etc • May need to auth to web app using Cognito, retrieve JWT • JWT is passed to identity pool, retrieves temp AWS keys • Keys are used to enumerate AWS access • Sometimes Identity Pool’s allow unauth access • Mobile app and hardware devices sometimes embed them aws cognito-identity get-id --identity-pool-id <pool id> aws cognito-identity get-credentials-for-identity --identity-id <prev id> 37 COGNITO IDENTITIES
DATA EXFILTRATION 38
DATA EXFILTRATION • EC2 -> AMIs -> Public Images filter aws ec2 describe-images --query ‘Images[*].[Name,Public]’ • Run EC2 instance in your AWS account using public AMI • Enumerate the filesystem like it’s 1999! 39 PUBLIC AMI
DATA EXFILTRATION • EC2 -> Snapshots -> Public Snapshots filter aws ec2 describe-snapshots --query ‘Snapshots[*].[Name,Public]’ • Attach EBS volume to EC2 instance in your AWS account using public snapshot • Enumerate the filesystem like it’s 1999! 40 PUBLIC EBS
DATA EXFILTRATION • Share an AMI or snapshot with your external AWS account • Launch an EC2 instance in your external account, SSH in! In Customer Account aws ec2 modify-snapshot-attribute --snapshot-id <snap id> -- attribute createVolumePermission --operation-type add –user-ids <your account ID> In Tester Account aws ec2 create-volume --snapshot-id <snap id> *DISCLAIMER* • NEVER MAKE AN AMI OR EBS PUBLIC ON A PENTEST!!!!! 41 PUBLICIZE YOURSELF
DATA EXFILTRATION • Inspect HTML & JavaScript files • Resources hosted at <something>.s3.amazonaws.com • Browse to http://<ip>/ and see if it redirects to AWS S3 • nslookup <ip> = s3-website-<region>.amazonaws.com • http://<domain>.s3-website-<region>.amazonaws.com • SSL Certs SAN and brute force • GitHub searches • Google searches • Burp Suite plugin called AWS Extender aws s3 ls s3://<bucket name>/ 42 HACKING S3 BUCKETS
SCALING THE PENTEST 43
SCALING THE PENTEST Remember that accounts.txt you created… lets use it! cat accounts.txt | while read a; do python scout.py aws --profile $a --no-browser --report-dir ./reports/$a/ --report-name $a --logfile ./logs/$a.log; done • Consider limiting to specific regions • Generates a report and log file • Set each account number to the profile name in ~/.aws/config • I’ve used this for 300+ accounts in one test *DISCLAIMER* • Rate limits suck. Scout has --max-rate and --max-workers flags 44 LOOP THROUGH ACCOUNTS
SCALING THE PENTEST Now that Scout is done, lets parse some data! • Report data in scoutsuite_results*.js file • So many more issues we can search for EC2 Userdata Example find . -type f -name 'scoutsuite_results*.js' -exec tail -n +2 {} ; | jq '.services.ec2.regions[].vpcs[].instances[] | select (.user_data != null) | .arn, .user_data’ Lambda Environment Variables Example for r in $(find . -type f -name 'scoutsuite_results*.js'); do cat "$r" | tail -n +2 | jq '.services.awslambda.regions[].functions[] | select (.env_variables != []) | .arn, .env_variables'; done 45 QUICK ANALYSIS
SCALING THE PENTEST Nothing sexy but useful! • Quickly generate ~/.aws/config using AssumeRole for all accounts • Prior to pentest, test AWS accounts using profiles from accounts.txt • Generate findings for Scout vulnerability scans (danger/warning) • 300+ accounts? No problem. It parses all results and generates findings • Generates list of finding, affected resources, and vulnerable account • After scanning with Scout, use Outpost to find quick wins 46 INTRODUCING OUTPOST
SCALING THE PENTEST 47 INTRODUCING OUTPOST https://darkoptics.com/outpost
CLOSING THOUGHTS 48
CLOSING THOUGHTS • Always. Use. CloudTrail. • Implement a routine AWS pentest on all accounts • Restrict policies to specific principals • Always implement a least-privilege model • Block web app access to 169.254.169.254 • Watch out for PassRole on “*” • Avoid using "Principal" : { "AWS" : "*" } • Avoid NotActions+Allow Have questions? Need a pentest? Reach out! 49 CLIENT RECOMMENDATIONS
CLOSING THOUGHTS • Follow traditional pentest phases • The more attack surface you know, the better the test • Lots of accounts? Spread a wide net and zero your focus • Few accounts? Discover everything and dig deep into policies/roles • Create cheat sheets of oneliners for repetitive tasks • Get familiar with the AWS service offerings • Great time to start, cloud pentesting is still very new Have questions? Want to learn to pentest AWS? Reach out! 50 PENTESTER RECOMMENDATIONS
FOR JOINING! FOLLOW ME ON TWITTER: @USTAYREADY THANKS 51

Empfohlen

Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 

Empfohlen

Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code Services
Amazon Web Services
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
Penetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersPenetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical Hackers
Cheah Eng Soon
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
Ami Mahloof
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
Open Source Consulting
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
Amazon Web Services
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Pacu ~ Rhino Security
Pacu ~ Rhino SecurityPacu ~ Rhino Security
Pacu ~ Rhino Security
AWSMeetup
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate Management
AppViewX
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdf
Mike Felch
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
John Varghese
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdf
Mike Felch
 

Was ist angesagt? (20)

AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code Services
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
 
Penetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersPenetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical Hackers
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Pacu ~ Rhino Security
Pacu ~ Rhino SecurityPacu ~ Rhino Security
Pacu ~ Rhino Security
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate Management
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdf
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 

Ähnlich wie Welcome to the Jungle: Pentesting AWS

Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Amazon Web Services
 
AWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access ManagementAWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access Management
Amazon Web Services
 
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
Amazon Web Services
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 Threats
Amazon Web Services
 
Attack and defense in the public cloud by Robert Wood
Attack and defense in the public cloud by Robert WoodAttack and defense in the public cloud by Robert Wood
Attack and defense in the public cloud by Robert Wood
EC-Council
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach Patterns
Rob Ragan
 

Ähnlich wie Welcome to the Jungle: Pentesting AWS (20)

Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Implementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best PracticesImplementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best Practices
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
Diving into Common AWS Misconfigurations
Diving into Common AWS MisconfigurationsDiving into Common AWS Misconfigurations
Diving into Common AWS Misconfigurations
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 
AWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access ManagementAWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access Management
 
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
 
Accelerating your Business with Security
Accelerating your Business with SecurityAccelerating your Business with Security
Accelerating your Business with Security
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 Threats
 
Attack and defense in the public cloud by Robert Wood
Attack and defense in the public cloud by Robert WoodAttack and defense in the public cloud by Robert Wood
Attack and defense in the public cloud by Robert Wood
 
IAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivIAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel Aviv
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach Patterns
 
Cross-Account Delegation in AWS
Cross-Account Delegation in AWSCross-Account Delegation in AWS
Cross-Account Delegation in AWS
 

Kürzlich hochgeladen

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Welcome to the Jungle: Pentesting AWS

  • 1. Welcome to the Jungle PENTESTING AWS 1
  • 2. ABOUT MIKE FELCH @USTAYREADY ON TWITTER SECURITY RESEARCH / RED TEAM @ BHIS • EXPLOITING SINCE RENEGADE BBS BACKDOORS • POPPING BOXES SINCE /CGI-BIN/PHF IN ’97 • SOFTWARE DEV SINCE VISUALBASIC3 WAREZ • PENTESTING SINCE AROUND 2005 2
  • 3. ABOUT THIS TALK PENTESTING AWS IN-DEPTH AND AT SCALE • NOT A REFLECTION OF AMAZON • WE RELY A LOT ON USING AWS CLI • LET’S DIG INTO SERVICES • SCALE ACROSS MANY ACCOUNTS • REPORT, REPORT, REPORT! 3
  • 4. PRESENTATION AGENDA HIGH-LEVEL TESTING OVERVIEW INITIAL ACCESS PROVISIONING NEW TOOL CLOSING THOUGHTS PENTEST PHASES 4 SCALING THE PENTEST
  • 6. HIGH-LEVEL TESTING OVERVIEW WHAT ARE WE TESTING? Organizations • Consolidated AWS accounts for easy management AWS Account • We test one or more AWS accounts, sometimes not all • Contains resources in different locations (regions) • Usually used for scoping pentests *DISCLAIMER* • Depends on the client, sometimes they want something different • … like starting as a developer with access to a dev environment 6
  • 7. HIGH-LEVEL TESTING OVERVIEW RESOURCES Resources are “what” you are testing • EC2: virtual server that comes in different sizes/locations • S3: object storage with a globally unique name • RDS: a typical relational database • Lambda: microservice that runs code without a server • … over 200 different types of services *WARNING* • Usually pieced together like Legos • Done right, can be hard to break • Done wrong, has major consequences • Exploit a resource and interact with different resources 7
  • 8. HIGH-LEVEL TESTING OVERVIEW SCOPING How many AWS accounts are being tested? • 5-10 accounts? One-week in-depth test • 100+ accounts? Time boxed wide test How many different resources in each account? • Good to know up front, hard to use in scoping How many regions are being used in each account? • Great way to reduce reconnaissance time Be sure to set the client expectations during scoping call! 8
  • 9. HIGH-LEVEL TESTING OVERVIEW IAM WHO I AM We need read-only access to start testing.. but how? Solution? Identity and Access Management (IAM)! • Controls access to AWS resources for users • Typical users, groups, and permissions • Uses “policies” to apply permissions for resources to users • Password policies, MFA, and monitoring w/ CloudTrail • “Principal” is an entity in AWS (user, role, AWS account, etc) Why is this important? • Vulnerable policies are the gateway for our exploitation • Start testing with read-only access, exploit from there 9
  • 10. 10
  • 11. 11
  • 13. INITIAL ACCESS PROVISIONING ACCESS CREDENTIALS IAM User Access and Secret Keys • Access Keys identifies the user making the request • Secret Keys sign the request confirming the user identity Console Credentials • Account ID (or account alias) + email + password • Root account email + password Easier for client to generate when testing few accounts Harder for client to generate when testing many accounts 13
  • 14. INITIAL ACCESS PROVISIONING ASSUMEROLE Provide internal access, externally • IAM feature that enables assuming a role w/ permissions • Great for allowing external accounts to access resources • External account passes a role ARN (resource name) • AWS generates temp credentials to external account • Ideal way for client and tester • Provide client w/ minimal read-only policy • Receive role ARN for each account in scope 14
  • 15. INITIAL ACCESS PROVISIONING TESTING ENVIRONMENT • Be sure to install AWS CLI: https://aws.amazon.com/cli/ • Configure *YOUR* testing AWS account (not clients) • Add client’s AWS accounts into accounts.txt, one per line • Your keys will be configured in: ~/.aws/credentials 15
  • 16. INITIAL ACCESS PROVISIONING TESTING ENVIRONMENT • Next, we will configure an AssumeRole for your client accounts in: ~/.aws/config • We need a new profile name, we will use the client’s AWS account number • We need the ARN for the role that the client created, that gives our account permission • We need to reference our profile name (account), we used “testing” as the name 16
  • 17. INITIAL ACCESS PROVISIONING TESTING ENVIRONMENT • Retrieve the caller identity from AWS, to verify the profile works • We will reference the AssumeRole profile name • It will use our account to assume the role in our client’s account • Inherits the permissions specified in the policy they used • If it returns data, we are ready to pentest! 17
  • 19. RESOURCE RECONNAISSANCE DISCOVERY • For each AWS account being tested… In each of the regions… Retrieve each resource… • While we are at it, lets pull the policies too • Is there an easy way to check the policies for issues? • Indeed… ScoutSuite! *DISCLAIMER* • ScoutSuite seems seemed to be dead. • ScoutSuite doesn’t find everything. • ScoutSuite doesn’t retrieve all resources. 19
  • 20. RESOURCE RECONNAISSANCE SCOUTSUITE • Generates a nice report dashboard w/ details • Shows configurations and scans policies for potential issues • Supports other cloud providers (Azure, GCP, etc) 20 https://github.com/nccgroup/ScoutSuite
  • 21. RESOURCE RECONNAISSANCE AWS_LIST_ALL • Enumerates everything, everywhere! • Doesn’t discover “bad” L • Takes time and may exhausts rate limits 21 https://github.com/JohannesEbke/aws_list_all
  • 23. VULNERABILITY IDENTIFICATION • Be cautious! Trust but verify. • Policies can get complex, watch for false positives • Use AWS CLI to validate • Find and parse the scoutsuite_results*.js file(s) for JSON 23 ANALYZE SCOUTSUITE RESULTS
  • 24. SERVICE EXPLOITATION Retrieve resources and try anyway! • Example.. query for all SNS topics in regions • Retrieve the ARN and publish a message • Check the response for errors... profit! ChatGPT to the rescue! 24 BRUTE FORCE RESOURCES
  • 25. RESOURCE RECONNAISSANCE CHATGPT • Generate amazing one-liners to query using AWS CLI • You can also sanitize a policy and ask if it’s vulnerable • Be careful not to leak customer accounts & resource names! 25
  • 26. RESOURCE RECONNAISSANCE CLOUDGPT • ChatGPT + Boto3 = AWS YOLO Vulnerability Scanner • Full tool done, being released at HackSpaceCon April 13-15 @ Kennedy Space Center, FL 26 https://darkoptics.com/cloudgpt
  • 27. SERVICE EXPLOITATION Discover IP/hostnames for external infrastructure • Elastic IPs • EC2 Public IPs • Elastic Load Balancer DNSName • RDS Endpoint Address • API Gateway REST APIs • Elastic Beanstalk Endpoint URL Scan infrastructure • Port scan using Nmap • Screenshot using GoWitness • Fuzz using Ffuf or Dirbuster • Normal external/web app pentest, look for SSRF! 27 ADDITIONAL ATTACK SURFACE
  • 28. SERVICE EXPLOITATION Retrieve IAM usernames & cred reports then brute force the AWS web console • Cred reports show if MFA enabled with user creation & password change dates • Look for dates prior to November 2020 J (no password policy) • AWS IAM has ***NO LOCK-OUT POLICY*** 28 BRUTE FORCE IAM USERS
  • 30. LATERAL MOVEMENT • Find assumable roles or creds with different permissions • Leverage services to pivot around • Unravel roles, policies, and permissions • Discover resources you can interact with • Code and repo commits may have creds • Sometimes you can leverage external AWS accounts • Sometimes need to leverage internal roles/creds • Sometimes don’t need any creds at all (i.e. --no-sign-request) 30 GOAL: PERMISSION SNOWBALL
  • 31. LATERAL MOVEMENT API keys, tokens, credentials and more! • Check EC2 User-data • Check Lambda function code and environment vars • Check CloudFormation stack parameters • Check CodeBuild environment vars • Check SSM Parameter Store (String and StringList) • .. so much more! Look around. • Regularly find more AWS keys & resource creds • Leverage discovered access to third-parties • Datadog, SendGrid, Git, Docker, API keys, Slack, Teams, etc *REMINDER* • Slow down here! 31 THIRD-PARTY SERVICES
  • 32. PRIVILEGE ESCALATION 32 POLICIES PERMISSION HOW TO EXPLOIT iam:CreatePolicyVersion Create policy version for existing policy w/ set-as-default flag iam:Attach(User/Group/Role)Policy Add policy for user/group/role that is attacker controlled iam:Put(User/Group/Role)Policy Add inline policy for user/group/role that is attacker controlled iam:SetDefaultPolicyVersion Change default policy to different version w/ higher permissions iam:UpdateAssumeRolePolicy Update assume role policy for a role that is attacker controlled Look for policies with higher permissions that you can leverage Reference: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ RIP Spencer Gietzen L
  • 33. PRIVILEGE ESCALATION 33 ODD PERMISSIONS PERMISSION HOW TO EXPLOIT iam:PassRole Pass existing role to resource or service and use it iam:NotActions+Effect Allow Creates prevent list which means everything else is permitted lambda:CreateEventSourceMapping Tie event sources to Lambda for triggering execution glue:Create/UpdateDevEndpoint Updated SSH public key for dev endpoint cloudformation:CreateStack Bad w/ PassRole - Launch resources (create admin etc) Look for risky permissions that you can leverage
  • 34. PRIVILEGE ESCALATION EC2 Metadata: http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> IMDSv1 • EC2 instance with an IAM role attached can leak access keys • Leverage an EC2 hosted web app vulnerable to SSRF • … or ability to SSH into an EC2 instance • v1 does NOT require auth J • Retrieve access/secret access keys for the EC2 IAM role IMDSv2 • v2 does require auth L • Security fix requiring TOKEN from /latest/api/token via PUT • Use token in x-aws-ec2-metadata-token header to /latest/meta-data • EC2 Specifying IMDSv2 will no longer work with IMDSv1 34 IAM ROLE w/ EC2 METADATA
  • 35. PRIVILEGE ESCALATION • Check inline and managed policy versions • Look for AssumeRole w/ our principal or Principal: “*” • Call aws sts assume-role --role-arn <arn> • Copy and configure creds in ~/.aws/credentials • Check for new permissions within assumed role • Use new creds w/ elevated permissions • CreateFunction, UpdateFunctionCode and add new code • UpdateFunctionConfiguration and add new layer • … profit! 35 LAMBDA w/ ASSUMEROLE
  • 36. PRIVILEGE ESCALATION • Check inline and managed policy versions • Look for roles that have RunInstances • Look for roles that have (add/remove) instance-profile permissions • Can we create a key pair and run an EC2 instance? • Can we unassign/reassign instance profiles w/ elevated perms? • SSH into EC2 w/ key pair J • SSM nodes w/ send-command RCE opportunity (AWS-RunShellScript) • Use EC2 for lateral movement, other service interaction, etc • … profit! 36 EC2 w/ INSTANCE PROFILE
  • 37. PRIVILEGE ESCALATION • User pools assist with user sign-in/sign-up • Identity pools assist with what users can access • We are looking for Identity Pool ID’s • Look in JavaScript, HTTP response headers, GitHub, etc • May need to auth to web app using Cognito, retrieve JWT • JWT is passed to identity pool, retrieves temp AWS keys • Keys are used to enumerate AWS access • Sometimes Identity Pool’s allow unauth access • Mobile app and hardware devices sometimes embed them aws cognito-identity get-id --identity-pool-id <pool id> aws cognito-identity get-credentials-for-identity --identity-id <prev id> 37 COGNITO IDENTITIES
  • 39. DATA EXFILTRATION • EC2 -> AMIs -> Public Images filter aws ec2 describe-images --query ‘Images[*].[Name,Public]’ • Run EC2 instance in your AWS account using public AMI • Enumerate the filesystem like it’s 1999! 39 PUBLIC AMI
  • 40. DATA EXFILTRATION • EC2 -> Snapshots -> Public Snapshots filter aws ec2 describe-snapshots --query ‘Snapshots[*].[Name,Public]’ • Attach EBS volume to EC2 instance in your AWS account using public snapshot • Enumerate the filesystem like it’s 1999! 40 PUBLIC EBS
  • 41. DATA EXFILTRATION • Share an AMI or snapshot with your external AWS account • Launch an EC2 instance in your external account, SSH in! In Customer Account aws ec2 modify-snapshot-attribute --snapshot-id <snap id> -- attribute createVolumePermission --operation-type add –user-ids <your account ID> In Tester Account aws ec2 create-volume --snapshot-id <snap id> *DISCLAIMER* • NEVER MAKE AN AMI OR EBS PUBLIC ON A PENTEST!!!!! 41 PUBLICIZE YOURSELF
  • 42. DATA EXFILTRATION • Inspect HTML & JavaScript files • Resources hosted at <something>.s3.amazonaws.com • Browse to http://<ip>/ and see if it redirects to AWS S3 • nslookup <ip> = s3-website-<region>.amazonaws.com • http://<domain>.s3-website-<region>.amazonaws.com • SSL Certs SAN and brute force • GitHub searches • Google searches • Burp Suite plugin called AWS Extender aws s3 ls s3://<bucket name>/ 42 HACKING S3 BUCKETS
  • 44. SCALING THE PENTEST Remember that accounts.txt you created… lets use it! cat accounts.txt | while read a; do python scout.py aws --profile $a --no-browser --report-dir ./reports/$a/ --report-name $a --logfile ./logs/$a.log; done • Consider limiting to specific regions • Generates a report and log file • Set each account number to the profile name in ~/.aws/config • I’ve used this for 300+ accounts in one test *DISCLAIMER* • Rate limits suck. Scout has --max-rate and --max-workers flags 44 LOOP THROUGH ACCOUNTS
  • 45. SCALING THE PENTEST Now that Scout is done, lets parse some data! • Report data in scoutsuite_results*.js file • So many more issues we can search for EC2 Userdata Example find . -type f -name 'scoutsuite_results*.js' -exec tail -n +2 {} ; | jq '.services.ec2.regions[].vpcs[].instances[] | select (.user_data != null) | .arn, .user_data’ Lambda Environment Variables Example for r in $(find . -type f -name 'scoutsuite_results*.js'); do cat "$r" | tail -n +2 | jq '.services.awslambda.regions[].functions[] | select (.env_variables != []) | .arn, .env_variables'; done 45 QUICK ANALYSIS
  • 46. SCALING THE PENTEST Nothing sexy but useful! • Quickly generate ~/.aws/config using AssumeRole for all accounts • Prior to pentest, test AWS accounts using profiles from accounts.txt • Generate findings for Scout vulnerability scans (danger/warning) • 300+ accounts? No problem. It parses all results and generates findings • Generates list of finding, affected resources, and vulnerable account • After scanning with Scout, use Outpost to find quick wins 46 INTRODUCING OUTPOST
  • 47. SCALING THE PENTEST 47 INTRODUCING OUTPOST https://darkoptics.com/outpost
  • 49. CLOSING THOUGHTS • Always. Use. CloudTrail. • Implement a routine AWS pentest on all accounts • Restrict policies to specific principals • Always implement a least-privilege model • Block web app access to 169.254.169.254 • Watch out for PassRole on “*” • Avoid using "Principal" : { "AWS" : "*" } • Avoid NotActions+Allow Have questions? Need a pentest? Reach out! 49 CLIENT RECOMMENDATIONS
  • 50. CLOSING THOUGHTS • Follow traditional pentest phases • The more attack surface you know, the better the test • Lots of accounts? Spread a wide net and zero your focus • Few accounts? Discover everything and dig deep into policies/roles • Create cheat sheets of oneliners for repetitive tasks • Get familiar with the AWS service offerings • Great time to start, cloud pentesting is still very new Have questions? Want to learn to pentest AWS? Reach out! 50 PENTESTER RECOMMENDATIONS
  • 51. FOR JOINING! FOLLOW ME ON TWITTER: @USTAYREADY THANKS 51